The holidays are quickly creeping up on us. It’s a time for being thankful and giving, but it can also be a time to reflect on the scary cybersecurity term, phishing…just because holidays are often time for reflection. By now, nearly everyone has heard it and if you work in an office, you have hopefully received some sort of training or advice on how not to become your organization’s latest victim. However, no matter how often it’s mentioned or how much training received, even the most cybersecurity-aware can fall for it, if not careful.

Menlo Security released some research recently that pointed out the increasing incidents of credential phishing. This happens when an attacker sends phishing emails with the end goal to get login credentials…for something. One of the most “famous” examples of this occurred during the 2016 presidential election time when Hilary Clinton’s former campaign manager gave up his credentials when he clicked on a link in email he thought came from a colleague.

So while some worry most about their bank accounts being emptied, perhaps it is more important to worry about email credentials, or perhaps those social media logins. After all, there is a lot of valuable information in our social media accounts and those can be used to reach a lot of people, if they are taken over.

There isn’t a single group being targeted for credential phishing, according to the research. The attackers use a couple of methods and target everything from political campaigns to public agencies to anyone that may have valuable data. The methods seem to be either copying websites to make them very difficult to detect as fake, or websites that actually take over a login page. Either way, if you enter your login credentials, you give them to someone you don’t really want to have them.

Ultimately, these attacks begin with phishing email messages. These often have some specific characteristics…such as trying to scare you into doing something quickly, else suffer some consequence or simply make fabulous promises for a reward, if you just act fast. They induce fear, urgency, curiosity, or appeal to your emotions.

Phishing is getting more difficult to spot these days. The criminals are getting very good at mimicking websites and crafting messages that are so real, that even though you may not have a Netflix account, make you think you do because they are just that good.

Still, take some time to evaluate a message before clicking any link or attachment. If it comes from an unknown sender, is unexpected, tries to scare you, promises something free if you just click and enter details, or anything that has some sense of urgency or punishment claim, it’s very likely phishing.

Menlo Labs found in their research that the most popular time of day for phishing to arrive in your email box is Tuesday. Be particularly cautious on that day of the week. Popular targets were Office 365 and OneDrive. Probably because people are likely to go to those places from the workplace network; and that is where the attackers really want to be. Your home network is a small treat compared to the mother lode that is the corporate network.

Remember that these attacks are not the mass spam variety. They are targeted and individualized. They are trying to get those who have the credentials to get the information the criminals really want. Often, but not always, that means those in finance and human resources departments. Be careful what information is on social media about your role at work. This can be used to construct these attacks.

So yes, sorry to break it to you, but you really are the weakest link. Tools can be put in place to scan for malware and spam, but when a message is so specific, no tool will likely detect it. At that point, security is up to you.

Politics. Always something interesting to discuss and of course one of the forbidden holiday dinner topics. Even something non-partisan such as the recent incident with the robocall firm RoboCent will likely spark heated conversation. However, the fact is details of hundreds of thousands of U.S. voters were found for sale online for a measly 3 cents per record. Don’t hackers know a vote is worth far more than that?

Seriously though, a researcher found the records while querying for the term “voters” using a tool that allows the searching of publicly exposed Amazon Web Services (AWS) storage buckets.

The bucket used by RoboCent contained voter data including names, phone numbers, addresses, precincts, political affiliations that were inferred by voting trends, age, gender, jurisdiction broken out by district, zip, precinct, county, and state, as well as ethnicity, language, and education demographics. There were even audio files of pre-recorded political messages used for the robo-calling service. That’s a pretty thorough list of data…and it’s pretty cheap in the grand scheme of things. After all, a single healthcare record can cost more than $300. It really does make you go, “Hmmmmm.”

So what does this mean to us, the poor schlubs that have no power over how our information keeps spilling into the wild? It means little until the information is weaponized. Data is just data until it is used to extract data from us. Cybercriminals are getting very good at producing targeted emails with our breached information; the more believable, the higher the click rate. Generally, when folks see a bunch of accurate information about their lives, they believe the email is credible.

Believable emails, text messages, and social media posts are the norm these days and they all pack a punch. Ransomware, banking malware, data/credential stealing trojans and cyberextortion are continually circulating our cyber-lives waiting for us to click. We can all avoid a ton of headaches if we just didn't click on any unexpected link or attachment. Even if the sender is known, was the link or attachment expected? If no, verify it with the sender on a separate email or phone call.

The researcher who found the exposed data did alert RoboCent about the exposure, before alerting the media and it was quickly secured. But obviously not before at least some damage was done.

Unsecured AWS servers are not uncommon. But that doesn’t mean the companies using them are excused for not securing them and protecting the data contained within them. If you use AWS or any services like it, make sure the data you store on them is not left open for researchers, or worse to find. You have every right and even responsibility to secure them and even do your own querying for data exposure. There are tools out there that allow you to check up on this, such as the one this researcher used. In the past, many MongoDB servers were found exposed using similar tools. If the “good” guys are using these tools, you can bet the “bad” guys are too.

There are common tactics phishers use to fool employees into opening harmful links, downloading malicious files, and providing passwords and other data that can seriously harm a business. Phishers prey on human emotion and error to achieve their goals. Cybersecurity professionals agree that employee education is a crucial component of cybersecurity. They feel it’s just as important as a company’s data security system. Below are some of the most common phishing tactics toward personnel and how to avoid being hooked, according to Tripwire.

1. The Lure: Deceptive Phishing

Beware emails claiming to be from a vendor or service provider. They frequently use subject headings and content with a focus on urgent business matters that require your input. They ask an employee to provide personal information and/or login to a bogus web page that steals their data.

How to Avoid the Hook:

Look for generic information in the email that is not specific to you. Phisher’s cast a wide net geared toward catching as many employees as possible and therefore avoid being specific. From the IRS to service providers, any legitimate company will not ask for sensitive information in an email or provide a link to a web page requesting it.

2. The Lure: Spear Phishing

This one is more sophisticated and can be tricky to spot. Phishers glean specific information about you from social media and other public postings and they’re not afraid to use it. Data used from previous breaches is quickly becoming the most vaulable information available. The more specific information a criminal knows about you, the more likely they can produce an inticing email. This is how criminals weaponize data. Data about you is just information, but turning that information into a malware delivery system changes the data into a weapon. Finally, custom domains are often used to make the email that much more credible. So the email may look like a PayPal email, but the email address is slightly off.

Can you spot the fake email address?

support@paypaI.com or support@paypal.com.

The first address is the fake... it has a capital 'i' where the lower case 'L' should be. This is an extream example, but there are 1,000s of attacks every day with this type of deception.

How to Avoid the Hook:

Avoid posting personal information anywhere on the web. Social media and other sites are trolled by phishers looking for an effective hook and they count on unsuspecting users. Practice common sense password security for every site that you log onto. Most importantly, Verify every unexpected link and attachment with a phone call or seperate email before clicking.

3. The Lure: CEO Fraud

Phishers assume the identity of the head of the company as the sender. Subjects and text require those in certain positions to provide financial actions such as payment to a bogus vendor.

How to Avoid the Hook:

Don’t hesitate to verify the boss’s email request, especially if it seems out of place. A quick phone call can avoid financial hacks, and overall, CEO’s would rather be safe with a phone call than sorry without one.

4. The Lure: Pharming

Phishers also use fake websites to gain your trust and information. They steal a company’s domain name and URL address to appear legitimate, usually providing a link to a well-crafted fake site that’s ready to heist your data.

How to Avoid the Hook:

Even the slightest doubt about a website should be verified. One quick way is to check the sites security certificate–legitimate sites always have one. First, make sure the lock icon appears to the left of the URL. Clicking on it will let you see the certificate status and view the details if you like. If a certificate isn’t present or is invalid, get out quickly and report your experience to the appropriate person or department.

5. Problem: Phishing for File Sharing

File sharing apps for business are an effective tool for stealing login credentials and downloading malware-infected files. Employees receive emails appearing to be ordinary requests for actions involving file sharing. When they act, phishers are waiting to pounce.

How to Avoid the Hook:

Check those emails carefully and look for grammatical errors and misspellings and always be aware of the service you are entering. Use encryption keys for login verification. If that’s not available, enable two-step verification. Any action toward verifying login information can help thwart a phisher’s goal.

Netflix customers are once again being targeted in a recent scam. The scammers are posing as an employee of the streaming website in an attempt to steal Netflix login credentials and payment card information. They will use the payment card details to make purchases themselves or sell the information on the Dark Web. What do they do with the login credentials? They try the login combination on other sites, hoping to get to your bank account or into some other site that has very sensitive information that they can also steal and sell.

Researchers at PhishMe discovered this most recent scam. Emails purport to be from the Netflix support team asking users to update their accounts.

Any time you are asked to update account details, don’t click links in email messages. Instead, go directly into your account using a previously bookmarked link you are confident is safe. Otherwise, carefully type the website URL into the address bar. Do a quick check to make sure you see that “https://” before putting in any details. If all is clear, go ahead and login and change your account details that way. This goes for any site; not just Netflix.

The email is addressed as “Dear Valued Customer,” rather than personalized. This suggests it is a mass campaign and should certainly be considered suspect. There is a link in the message where you can click to “update” easily, but that link is malicious and will direct you to a fake webpage.

In this attack, the hackers hope you use the same login credentials on multiple sites. They will try to reuse the passwords in an attempt to get into your financial accounts or healthcare accounts, for example. That’s why you should always use unique passwords for each account you have.

A couple of months ago, another Netflix scam was going around asking users to update payment details to avoid having their accounts deactivated. If you see that one, the same advice applies.

Social Engineering is alive and well. It is used so often by cyber criminals because it works and often times, it's simple and even low tech. The old ways of getting information and stealing identities still work, such as pickpocketing, but the number one social engineering technique is still phishing email messages.

Following are some examples of ways information was acquired by the "good guys" to prove how simple it can be done and to make people aware, which really is most of the battle. All of the below tests were done ethically and the people or companies performing the tasks were either paid by the company to test their security or to prove a point and any physical items taken were returned.

Let's start with the least technical, but still very effective pickpocketing. While you may immediately question if it's really social engineering, think about street performers, airport lines, concerts and other places where everyone is happy and distracted. Jim Stickley of Stickley on Security is infamous for robbing his friends. In one case, he was traveling with a colleague and noticed that the colleague carried his identification and credit cards in the back pocket of his backpack. When Jim questioned him, he said it was safer than having it separate when he travels. That is understandable as a wallet is one more thing to keep track of when travel gets so hectic. Well, when they were in line to check in, Jim unzipped the backpack and lifted his driver's license and credit cards, zipped up the pocket, and just kept talking.

When eventually they got to the check-in counter, he was called out and came clean, but he's really a novice and the professionals will use all kinds of ways to get that information including using magic tricks and children as decoys and distractions.

Always keep those items close by and in front pockets whenever possible. While they can still be taken, it is more difficult.

Don't carry credit cards you are not using. Most people use one card, but have many others in their wallets. If you don't need or use them, leave them in a secure place at home.

Never carry your social security card with you. Lock it in a safe place at home.

Always stay aware when in crowded places full of distractions and zip or button your pockets and purses. It just adds one more layer of complication for a pickpocket.

Trustwave did their version of phishing to gain user login names and passwords. Nathan Drier and colleagues sent email messages to employees at a company pretending to be the IT department. The message explained that their external webmail server was upgraded and everyone needed to log in with their credentials. There was a link in the message that the employees clicked and therefore forfeited their user names, passwords, and in some cases their VPN access credentials. That kind of information can allow an attacker to get additional privileges on the network and do all kinds of damage.

Don't fall for clicking a link or opening an attachment in email messages, regardless of who sends them and even if they're sent to your home address, unless you verify it separately first. If IT sends a message asking you to click something, make a call to the department or physically go check when possible, and verify that it's legitimate.

If you have any suspicion of links or attachments in email messages, don't click them. Hackers can do damage to your home network or use your devices to perform malicious attacks against others.

Dumpster diving is not social engineering in and of itself. However, a lot of information can be found in dumpsters that provide avenues into a company or someone's home or life. They are rarely locked and many companies or people don't bother to shred documents, even those that have confidential information. And once the trash bin goes onto the street, the contents are fair game.

Stickley says that the lesson here is to shred everything. Even if you don't think it's important, it still might be to someone else.

Invest a little more in a criss-cross shredder that also shreds credit cards and CDs. Even though CDs aren't used so much anymore, they are still often found lingering in files when it's time for spring cleaning. So, better to have the capability to shred them when it's needed.

Nathan Drier of Trustwave was once able to convince an employee that the workstation he was occupying and installing a backdoor onto was being fixed by him. And by picking up the phone and making a couple of calls, Stickley once convinced an employee to give him her password by pretending to be from the IT group of a company. This ultimately gave him VPN access directly into the company's network.

Don't leave workstations unlocked when you get up to leave. Not only does that allow your co-workers to send embarrassing emails from your account, but it leaves a gaping hole in the security of the organization for people like Drier and Stickley.

Never give passwords to anyone, in person or via phone. Even if you think the "IT guy" can get it anyway so what's the problem, don't give it to him.

Stickley is quite the actor and has often convinced people he's an electrician, from a pest control company, an OSHA inspector, or even a flower delivery person in order to get past the front desk and roam around a company. Being any number of service providers, cyber criminals can do many things. This isn't just at the office, but also at home. A common scam in neighborhoods is for someone pretending to be an alarm company, knocking on the door and asking all kinds of questions about the security of the home in order to provide a quote. With all the wireless home security systems these days, any information about that can open all kinds of doors.

At home, never give information to someone going door to door. If you are truly interested in the service, contact the company separately and not using information provided by the door to door sales rep.

Always ask for credentials from door-to-door reps. Most locales require them to get permits and show them to you whenever they solicit business at homes.

Ask questions of anyone that looks unfamiliar to you if you suspect they don't belong in the neighborhood or at the office. The more questions you ask, the less likely they will stick around to do harm.

Don't trust someone claiming to be the IT guys or tech support if he or she asks for your passwords. They don't need you to give them to them.

The best defense against social engineering tactics is education, whether it's your family or your employees. And don't forget to have the conversations with the kids. With all the internet-connected devices they use now, they are not only a link in the chain, but a very important one.

Phishing is a favorite method for hackers to steal personal data. Unfortunately, Internet users still fall victim to phishing scams over and over.

Phishing involves trying to trick users into either clicking a link in email and providing data in a form on a fake website, or clicking an attachment that installs malicious content on the computer or device. The ZeuS (Zbot) scam is a prime example of this.

Here are a few tips to avoid phishing scams:

Keep all browsers used up to date. Remember that updating one browser, doesn’t update them all as they are all independent from one another.

Don’t open email messages from unfamiliar senders, open attachments in suspicious messages, or click links that look strange, even if the sender is someone known.

Avoid opening messages that have a subject that appears as if it’s urgent or can’t wait. If it’s that important, a phone call is typically the communication method.

Do not send credit card, social security, or other personally identifiable information via email. Email is not usually encrypted, so anything that is sent that way is via plain text and vulnerable.

Do not click links or open attachments that claim to be from a financial institution but asks for private information to be filled out or credentials to be “verified.” Financial institutions will not request that type of information in that manner.

If a suspicious message is received and there is contact information, it’s better to go to the site of the organization directly or from a pre-bookmarked link to get the phone number and email addresses. Phishers will create authentic looking fake sites to try to get information from users. The contact information on the phony sites goes back to the phishers.

Keep anti-malware and anti-virus programs updated.

Apply critical and security patches to your system as soon as they are available. This applies to mobile devices as well.

We use cookies to give you a more relevant browsing experience and improve our website. Using this site means that you agree with our use of cookies policy.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

This Privacy Policy applies to and is provided on behalf of Stickley on Security. (collectively referred to as "We", "Us", or "Our") and describes Our information gathering
practices and policies in connection with this Site. We value your ("User", "You", or "Your") privacy and recognize the sensitivity of Your personal information. We are
committed to protecting Your personal information and using it only as appropriate to provide You with the best possible service, products, and opportunities. Use of this
Site constitutes consent to Our collection and use of personal data as outlined herein.

COLLECTION AND USE OF PERSONAL INFORMATION FROM SITE USERS

We collect personally identifiable information from Users who provide it to us for billing purposes. For example, We collect Your name, street address, city, state, zip
code, telephone number, email address, and financial information, such as a credit card number, if You use the Site to register or renew a license. We may use this
information to contact You regarding the status of Your account and orders placed, and to alert You to new information, products and services, events and other
opportunities. We recognize that You may wish to limit the ways in which You are contacted and provide You with opt-out options below. Information about Our experiences and
transactions with you, such as your payment history, types of services and/or products you purchased are not shared with organizations outside of Stickley on Security.

We will not disclose to third parties (that is, people and companies that are not affiliated with Us) individually identifying information, such as names, postal and e-mail
addresses, telephone numbers, and other personal information, except to the extent that it is necessary to process and provide You with Your order, license request or
other request. Your contact information may also be provided to the extent necessary to comply with applicable laws or legal processes (e.g., subpoenas), or to meet contractual obligations outlined in this policy, or to protect Our
rights or property. We will cooperate with all law enforcement authorities.

If Your order, license request or other request is processed by a third-party, or if You are provided with bulletin boards and chat rooms and/or email capabilities on
this Site, please note that in the event that You voluntarily disclose personally identifiable information in those instances, that information, along with any substantive
information disclosed in Your communication or post, can be collected, correlated and used by third parties. This may result in unsolicited messages from third parties. Such
activities are beyond Our control, and We encourage You to check the applicable privacy policy of such party when providing personally identifiable information.

For each visitor to this Site, Our server can detect and collect certain information, including the User's domain name and e-mail address, and can identify the Web pages the
User visited or accessed. We may use this information in order to measure interest in and use of the various areas of the site.

We do not knowingly solicit information from children and We do not knowingly market the Site or its services to children.

OPT-OUT

You may at any time opt out of having Your personal information used by Us to send You promotional correspondence by contacting Us via e-mail provided in the "Contact Us"
section below.

PROMOTION CODES

"Promotion codes" are offered by third-party affiliates of the Stickley on Security Training Videos. If you choose to include a "Promotion Code" when placing your order, the affiliate who is associated with that promotional code will receive your organizations name. They will NOT however receive any other information related to your account. The sharing of the organization name only applies when a "Promotion Code" is included during the order process.

USE OF COOKIES

1. First-party cookies
User input cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session, or persistent cookies limited to the duration of an operation such as purchase or trial;
User identification persistent cookies, to identify the user visited the website for the first time;
Authentication cookies, to identify the user once he has logged in, for the duration of a session;
user interface customization cookies such as time zone and shopping cart status info, for the duration of a session (or slightly longer).

2. Third-party cookies
social plug in content sharing cookies, for logged in members of a social network;
Google Analytics cookies to generate statistical data on how the visitor uses the website.

How do we use them?
Where strictly necessary. These cookies and other technologies are essential in order to enable the Services to provide the feature you have requested, such as remembering you have logged in.

For functionality. These cookies and similar technologies remember choices you make such as time zone and shopping cart info. We use these cookies to provide you with an experience more appropriate with your selections and to make your use of the Services more tailored.

For performance and analytics. These cookies and similar technologies collect information on how users interact with the Services and enable us to improve how the Services operate. For example, we use Google Analytics cookies to help us understand how visitors arrive at and browse our products, services and website to identify areas for improvement such as navigation, user experience, and marketing campaigns.

Social media cookies. These cookies are used when you share information using a social media sharing button or .like. button on our websites or you link your account or engage with our content on or through a social media site. The social network will record that you have done this. This information may be linked to targeting/advertising activities.

How can you opt-out?
To opt-out of our use of cookies, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. If you do not accept cookies, however, you may not be able to use our Services.

Updates to this Cookie Policy
This Cookie Policy may be updated from time to time. If we make any changes, we will notify you by revising the "effective starting" date at the top of this notice.

INFORMATION SECURITY AND CONFIDENTIALITY

We maintain physical, electronic and procedural safeguards to prevent the unauthorized release of or access to Your personal information. When We transfer and receive
certain types of sensitive information such as financial information, We redirect visitors to a secure server. We do not store or reuse Your credit card information. We do
not record or manager financial information about You (including credit card and other payment information). However, such precautions do not guarantee that this Site is
invulnerable to all security breaks. We make no warranty, guarantee, or representation that the use of this Site is protected from viruses, security threats, or other
vulnerabilities and that Your information will always be secure. We cannot guarantee the confidentiality of any communication or material transmitted to/from Us via the Site
or e-mail. Use of the Internet is solely at Your own risk and is subject to all applicable local, state, federal, and international laws and regulations.

THIRD PARTY PROCESSING

Stickley on Security uses the vendor Authorize.net to process all payment transactions. When making a purchase on this site, You also accept the Terms and Conditions and
Privacy Policy of Authorize.net.

CONTACT US

This Privacy Policy may be updated periodically and posted on this Site. It applies only to Our online practices and does not encompass other areas of the organization. We
reserve the right to change this Policy at any time by posting revisions. By accessing or using the Site, You agree to be bound by all of the Terms of this Privacy Policy as
posted at the time of Your access or use. We reserve the right to contact Users of the Site regarding changes to the Terms and Conditions generally, this Privacy Policy
specifically, or any other policies or agreements relevant to the Site's Users. If You have any questions about this Policy, You may email to:

Keep up with the latest cyber security news through our weekly Fraud News & Alerts updates.
Each week you will receive an email containing the latest cyber security news, tips and breach notifications.

Simply complete the form below and you're all set.

You're all set!

You will receive your first official security update email within the next week.
A welcome email has also just been sent to you. If you do not receive this email within the next few minutes, please check your Junk box or spam filter to confirm our emails are not being blocked.